Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts [1] to enable persistent access to a Microsoft tenant.
This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant. Vectra AI has not observed the use of this technique in the wild but given the historical abuse of similar functionality — Vectra AI presents details for defenders to understand how the attack would present and how to monitor for its execution. In addition, the article will review how Vectra AI customers currently have coverage — and have had coverage from day one of the functionality being released for this technique through their AI-driven detections and Vectra Attack Signal IntelligenceTM.
CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. CTS features build on previous B2B trust configurations enabling automated and seamless collaboration between different tenants and is a feature that many organizations will look to adopt. [2] [3]
CTS is a powerful and useful feature for organizations like business conglomerates with multiple tenants across affiliated companies, but also opens potential reconnaissance, lateral movement and persistence attacks by bad actors if not configured and managed correctly. Read on for the potential risks and attack paths that adversaries can leverage to exploit CTS to abuse trust relationships from a potentially compromised tenant to any other tenant configured with a CTS trust relationship.
The exploitation techniques follow Assumed Compromise philosophy. The techniques used in these exploits assume that an identity has been compromised in a Microsoft cloud environment. In a real-world setting, this could originate from a browser compromise on an Intune-managed endpoint with a Microsoft-managed identity.
Source tenant | Tenant from where users & groups are getting synced |
Target tenant | Tenant with resources where users & groups are getting synced |
Resources | Microsoft applications (Teams, SharePoint, etc.) and non-Microsoft applications (ServiceNow, Adobe, etc.) |
CTS | Abbreviation to reference 'Cross Tenant Synchronization' in this document |
CTA | Abbreviation to reference 'Cross Tenant Access' in this document |
Compromised Account | Adversaries initial point of access |
Important things to know about CTS configuration:
The attack techniques described in this article require certain licenses and a privileged account compromise or privilege escalation to certain roles in the compromised tenant. A Global Admin role can perform all these actions in a tenant. [3]
Action | Source Tenant | Target Tenant |
Tenant License | Azure AD Premium P1 or P2 | Azure AD Premium P1 or P2 |
Configure CTA | Security Administrator | Security Administrator |
Configure CTS | Hybrid Identity Administrator | N/A |
Assign users to CTS configuration | Cloud Admin or Application Admin | N/A |
An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant.
Figure 1 : Lateral Movement Attack Overview |
An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.
Figure 2: CTS Backdoor Attack Overview |
Vectra's existing portfolio of alerts are capable of detecting this activity even prior to understanding this operation's implication as well as the expected actions that would occur prior to this event.
The fact that there is no actual vulnerability exploited in this technique makes it harder to prevent once an adversary is in the environment with sufficient privileges. However, Vectra's AI-driven detections have been designed to detect these types of privilege abuse scenarios without having to rely on signatures or lists of known operations.
Vectra's Azure AD Privilege Operation Anomaly monitors for the underlying value of every operation in the environment and every user. The AI continuously creates a baseline of the types of actions that should be occurring in the environment and identifies cases of cloud-based privilege abuse. By focusing on the behavior of privilege abuse, Vectra is able to identify emerging techniques like the one documented here.
Figure 3: Compromised Account deploying Cross Tenant Access Policy in compromised tenant |
Figure 4: Compromised account enabling Inbound Sync into the tenant |
Figure 5: Compromised account enabling Automatic User Consent Redemption |
Attacker actions that would occur prior to the attack such as the account access following a token theft or other forms of account compromise, would be alerted on by Vectra detections like Azure AD Unusual Scripting Engine Usage, Azure AD Suspicious Sign-on or Azure AD Suspicious OAuth Application.
Testing environments regularly and effectively is the best way to be confident in the ability to defend against cyberattacks. MAAD-Attack Framework is an open-source attack emulation tool that combines the most commonly used attacker techniques and allows security teams to quickly and effectively emulate them in their environments via a simple interactive terminal. Check out MAAD-AF on GitHub or learn more about it here.
Security teams can use MAAD-AF module "Exploit Cross Tenant Synchronization" to emulate and test against the CTS exploitation techniques in their environment.
Want to learn more?
Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. The Vectra AI Platform delivers the integrated signal powering XDR, SIEM, SOAR — whatever your pane of glass. This powerful platform equips SOC teams with hybrid attack surface coverage and real-time Attack Signal Intelligence, along with integrated, automated and co-managed response. Companies can choose the modules they need to achieve full coverage across identity, public cloud, SaaS and data center networks.
Contact Vectra AI today.
References: